-2- 



AMENDMENTS TO THE CLAIMS 
Amended claims follow: 

1 . (Currently Amended) A computer program produc t embodied on a tangible 
computer readable medium operable to detect malicious computer program activity, 
comprising: 

logging code operable to log a stream of external program calls; 

primary set identifying code operable to identify, within said stream of external 
program calls, a primary set of one or more external program calls matching one or more 
rules indicative of malicious computer program activity from among a set of rules; 

secondary set identifying code operable to identify, within said stream, at least 
one secondary set of one or more external program calls associated with said primary set 
of one or more external program calls; and 

modifying code operable to modify said set of rules such that said at least one 
secondary set of one or more external program calls are more strongly associated with 
malicious computer program activity. 

2. (Original) A computer program product as claimed in claim 1, wherein one of 
said at least one secondary set of one or more external program calls precedes said 
primary set of one or more external program calls within said stream of external program 
calls. 

3. (Original) A computer program product as claimed in claim 1, wherein said 
external program calls are application program interface calls to an operating system. 

4. (Original) A computer program product as claimed in claim 1 , wherein each of 
said external program calls has one or more characteristics compared against said set of 
rules. 
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5. (Original) A computer program product as claimed in claim 4, wherein said one 
or more characteristics include: 

a call name; 

a return address; 

one or more parameter values; 

and one or more returned results. 

6. (Original) A computer program product as claimed in claim 1 , wherein rules 
within said set of rules specify score values of external program calls having 
predetermined characteristics and a set of one or more external program calls is identified 
as corresponding to malicious computer program activity if said set of one or more 
external program calls has a combined score value exceeding a threshold level. 

7. (Currently Amended) A computer program product as claimed in claim 6, 
wherein score values within [[said]]a set of rules associated with said secondary set of 
one or more external program calls are increased to more strongly associate said 
secondary set of external program calls with malicious computer program activity. 

8. (Original) A computer program product as claimed in claim 1, wherein said set of 
rules include at least one of: 

one or more pattern matching rules; and 
one or more regular expression rules. 

9. (Original) A computer program product as claimed in claim 1, wherein said set of 
rules are responsive to ordering of external program calls. 

1 0. (Original) A computer program product as claimed in claim 1 , wherein said 
modifying code dynamically adapts said set of rules in response to detected streams of 
external program calls performing malicious computer program activity. 
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1 1. (Original) A computer program product as claimed in claim 1, wherein at least 
changes within said set of rules are transmitted to one or more remote computer such that 
said one or more remote computers can use said modified set of rules without having to 
suffer said malicious computer program activity. 

12. (Original) A computer program product as claimed in claim 1, wherein changes 
within said set of rules are transmitted to a rule supplier. 

1 3. (Original) A computer program product as claimed in claim 1 , wherein said 
stream of external program calls are logged following emulation of execution of a 
computer program. 

14. (Original) A computer program product as claimed in claim 1 , wherein said set of 
rules is modified to include a new rule corresponding to said secondary set of one or 
more external program calls, said new rule thereafter being used in addition to other rules 
within said set of rules. 

1 5. (Original) A computer program product as claimed in claim 1 , comprising starting 
point identifying code operable to identify a starting point of malicious computer 
program activity within said stream of external program calls. 

16. (Original) A computer program product as claimed in claim 15, wherein said 
starting point corresponds to one of: 

starting execution of a computer file; and 

a switch of memory address region from which program instruction are executed. 

17. (Original) A computer program product as claimed in claim 1, wherein said set of 
rules is subject to a validity check after modification to determine if said set of rules is 
more effectively detecting malicious computer program activity. 
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18. (Original) A method of detecting malicious computer program activity, said 
method comprising the steps of: 

logging a stream of external program calls; 

identifying within said stream of external program calls a primary set of one or 
more external program calls matching one or more rules indicative of malicious computer 
program activity from among a set of rules; 

identifying within said stream at least one secondary set of one or more external 
program calls associated with said primary set of one or more external program calls; and 

modifying said set of rules such that said at least one secondary set of one or more 
external program calls are more strongly associated with malicious computer program 
activity. 

1 9. (Original) A method as claimed in claim 1 8, wherein one of said at least one 
secondary set of one or more external program calls precedes said primary set of one or 
more external program calls within said stream of external program calls. 

20. (Original) A method as claimed in claim 18, wherein said external program calls 
are application program interface calls to an operating system. 

21 . (Original) A method as claimed in claim 1 8, wherein each of said external 
program calls has one or more characteristics compared against said set of rules. 

22. (Original) A method as claimed in claim 21, wherein said one or more 
characteristics include: 

a call name; 
a return address; 

one or more parameter values; and 
one or more returned results. 

23. (Original) A method as claimed in claim 18, wherein rules within said set of rules 
specify score values of external program calls having predetermined characteristics and a 
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set of one or more external program calls is identified as corresponding to malicious 
computer program activity if said set of one or more external program calls has a 
combined score value exceeding a threshold level. . 

24. (Currently Amended) A method as claimed in claim 23, wherein score values 
within [[said]]a set of rules associated with said secondary set of one or more external 
program calls are increased to more strongly associate said secondary set of external 
program calls with malicious computer program activity. 

25. (Currently Amended) A method as eetime dclaimed in claim 1 8, wherein said set 
of rules include at least one of: 

one or more pattern matching rules; and 
one or more regular expression rules. 

26. (Original) A method as claimed in claim 18, wherein said set of rules are 
responsive to ordering of external program calls. 

27. (Original) A method as claimed in claim 18, wherein said step of modifying said 
set of rules dynamically adapts said set of rules in response to detected streams of 
external program calls performing malicious computer program activity. 

28. (Original) A method as claimed in claim 18, wherein at least changes within said 
set of rules are transmitted to one or more remote computer such that said one or more 
remote computers can use said modified set of rules without having to suffer said 
malicious computer program activity. 

29. (Original) A method as claimed in claim 18, wherein changes within said set of 
rules are transmitted to a rule supplier. 

30. (Original) A method as claimed in claim 18, wherein said stream of external 
program calls are logged following emulation of execution of a computer program. 
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3 1 . (Original) A method as claimed in claim 1 8, wherein said set of rules is modified 
to include a new rule corresponding to said secondary set of one or more external 
program calls, said new rule thereafter being used in addition to other rules within said 
set of rules. 

32. (Original) A method as claimed in claim 18, comprising identifying a starting 
point of malicious computer program activity within said stream of external program 
calls. 

33. (Original) A method as claimed in claim 32, wherein said starting point 
corresponds to one of: starting execution of a computer file; and 

a switch of memory address region from which program instruction are executed. 

34. (Original) A method as claimed in claim 1 8, wherein said set of rules is subject to 
a validity check after modification to determine if said set of rules is more effectively 
detecting malicious computer program activity. 

35. (Original) A data processing apparatus operable to detect malicious computer 
program activity, said apparatus comprising: 

logging logic operable to log a stream of external program calls; 

primary set identifying logic operable to identify, within said stream of external 
program calls, a primary set of one or more external program calls matching one or more 
rules indicative of malicious computer program activity from among a set of rules; 

secondary set identifying logic operable to identify, within said stream, at least 
one secondary set of one or more external program calls associated with said primary set 
of one or more external program calls; and 

modifying logic operable to modify said set of rules such that said at least one 
secondary set of one or more external program calls are more strongly associated with 
malicious computer program activity. 
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36. (Original) An apparatus as claimed in claim 35, wherein one of said at least one 
secondary set of one or more external program calls precedes said primary set of one or 
more external program calls within said stream of external program calls. 

37. (Original) An apparatus as claimed in claim 35, wherein said external program 
calls are application program interface calls to an operating system. 

38. (Original) An apparatus as claimed in claim 35, wherein each of said external 
program calls has one or more characteristics compared against said set of rules. 

39. (Original) An apparatus as claimed in claim 38, wherein said one or more 
characteristics include: 

a call name; 
a return address; 

one or more parameter values; and 
one or more returned results. 

40. (Original) An apparatus as claimed in claim 35, wherein rules within said set of 
rules specify score values of external program calls having predetermined characteristics 
and a set of one or more external program calls is identified as corresponding to 
malicious computer program activity if said set of one or more external program calls has 
a combined score value exceeding a threshold level. 

41. (Currently Amended) An apparatus as claimed in claim 40, wherein score values 
within [[said]]a set of rules associated with said secondary set of one or more external 
program calls are increased to more strongly associate said secondary set of external 
program calls with malicious computer program activity. 

42. (Original) An apparatus as claimed in claim 35, wherein said set of rules include 
at least one of: 

one or more pattern matching rules; and 
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one or more regular expression rules. 

43. (Original) An apparatus as claimed in claim 35, wherein said set of rules are 
responsive to ordering of external program calls. 

44. (Original) An apparatus as claimed in claim 35 wherein said modifying logic 
dynamically adapts said set of rules in response to detected streams of external program 
calls performing malicious computer program activity. 

45. (Original) An apparatus as claimed in claim 35, wherein at least changes within 
said set of rules are transmitted to one or more remote computer such that said one or 
more remote computers can use said modified set of rules without having to suffer said 
malicious computer program activity. 

46. (Original) An apparatus as claimed in claim 35, wherein changes within said set 
of rules are transmitted to a rule supplier. 

47. (Original) An apparatus as claimed in claim 35, wherein said stream of external 
program calls are logged following emulation of execution of a computer program. 

48. (Original) An apparatus as claimed in claim 35, wherein said set of rules is 
modified to include a new rule corresponding to said secondary set of one or more 
external program calls, said new rule thereafter being used in addition to other rules 
within said set of rules. 

49. (Original) An apparatus as claimed in claim 35, comprising starting point 
identifying logic operable to identify a starting point of malicious computer program 
activity within said stream of external program calls. 

50. (Original) An apparatus as claimed in claim 49, wherein said starting point 
corresponds to one of: starting execution of a computer file; and 
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a switch of memory address region from which program instruction are executed. 

5 1. (Original) An apparatus as claimed in claim 35, wherein said set of rules is 
subject to a validity check after modification to determine if said set of rules is more 
effectively detecting malicious computer program activity. 

52. (New) A computer program product as claimed in claim 1 , further comprising 
applying high level rules to the modified set of rules, and promoting said modified set of 
rules from a temporary set to a permanent set based on the application of the high level 
rules to the modified set of rules. 

53. (New) A computer program product as claimed in claim 1, further comprising 
determining whether said modified set of rules decrease malicious network traffic, and 
promoting said modified set of rules from a temporary set to a permanent set if it is 
determined that said modified set of rules decrease said malicious network traffic. 



